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(54) lUiethod and system for monitoring and controlling networic access 



(57) A method and system lor monitoring and con- 
trolling network access includes non-intrusively moni- 
toring network traffic and assembling data packets that 
are specific to individual node-to-node transmissions in 
order to manage network access both inside and out- 
skie of a network. A rules base (78) is g^ierated to 
apply at either or t>oth of the connection time and the 
time subsequent to connection. With regard to a partic- 
ular node-to-node transmission, the data packets are 
assembled to klentify the source and destination nodes, 
as well as contextual information (i.e.. ISO Layer 7 infor- 
mation). The access rules are applied in a sequential 
order to determine whether the transmission is a 
restricted transmission. The rules are maintained in a 



single rules base (78) for the entire network and are dis- 
tributed to each morutoring noda Any of the protocols in 
the suite of TCP/IP protocols can t>e managed. The 
result of an analysis against the rules base (78) causes 
a connection attempt to be completed or denied, a pre- 
viously established connection to be broken, logging to 
occur, or a combination of these and other actions. Data 
collected during connection attempts or during a con- 
nection's lifetime may be passed to a third-party hard- 
ware or software component In order for Independent 
validation to take place. Traffic monitoring and access 
management can be executed at a node other then a 
choke point of the network. 
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E>escription 
TECHNICAL FIELD 

[0001] The invention relates generally to a method 
and system for managing access control to resources of 
a distributed network and relates more particularly to 
monitoring and oontroning computer users* access to 
network resources from both inside and outside pe net- 
work. 

BACKGROUND ART 

[0002] There are a number of available topologies for 
conputer networks of nodes. A computer network may 
be highly centralized, having a mainframe computer that 
is accessed by a numt>er of user computers, such as 
desktop computers. Currently, the trend is away from 
centralization arxJ toward distributed processing and di- 
ent-server relationships. In a distributed network, intelli- 
gence and processing power are distrit^uted among a 
number of network nodes, typically with client worksta- 
tions communicating with distributed servers. Other 
relationships among nodes of a network are known. 
[0003] A network of nodes may be associated with a 
single enterprise, such as a local area network (LAN) of 
a particular business. Such a network enables commu- 
nications and data exchanges among the various nodes 
of the network. A single protocol may be used in the 
accessing of resources within the L-AN. Thus, when a 
first node, such as a client workstation, accesses the 
computing resources of a second node, such as a 
server for storing various applications, data is 
exchanged wittxHit requiring a protocol conversion. 
[0004] However, the largest and nx>st pervasive net- 
work is the rx>n-proprietary global comnnunfoations net- 
work referred to as the Internet. A numt>er of different 
network protocols are used within the Internet. Proto- 
cols that fall within the Transmission Corrtrol Proto- 
col/Internet Protocol (TCP/IP) suite include the 
HyperText Transfer Protocol (HTTP) that underlies com- 
munications via the World Wide Web. TELNET for 
allowing access to a remote computer, the RIe Transfer 
Protocol (FTP), and the Simple Mail Transfer Protocol 
(SMTP) to provide a uniform format for exchanging 
electronic mail, as well as a nunrfoer of standardized or 
proprietary protocols for multimedia and broadcast 
services. 

[0005] An implementation of these arid other Internet 
protocols solely within an organization is often referred 
to as an Intranet, while the use of such protocols across 
a restricted set of Internet sites that are relevant to a 
particular organization is referred to as the organiza- 
tion's Extranet 

[0006] Much attention has been given to installing 
computer network gateways whfoh focus on ensuring 
that potential intruders (sometimes referred to as "hack- 
ers") cannot gain illegal access via the Intemet to an 



organization's computing resources on their Irrtranets. 
These gateways are "choke points," through wfiich net- 
work traffic that Is to be controlled must flow. Such tire- 
walls" are configured to allow any outbound connection 

5 or traffic to occur, txjt to restrk^t intx)und traffic to spe- 
dffo services ttiat are deemed to be non-threatening to 
tiie organization. Rrewalls may also perform a limited 
amount of 'l^acket filtering,'* which attempts to control 
tiBffic by reference to non-contextual, low-level network 

10 packets. 

[0007] An issue tfiat receives less attention is ensur- 
ing that the empfoyees of an organization are appropri- 
ately managed. This management exterxis to accessing 
external computer resources and accessing Intemal 

IS computer resources. The management may be set forth 
in an access conb-d polk;y of the organizatioa With 
respect to many aspects, the management is the con- 
verse of the problem that firewalls are intended to solve. 
While fire-walls are focused on keeping intruders from 

20 gaining unwanted accesses, access control systems 
are focused on ensuring that insiders are managed 
according to ttie access control policy of the organiza- 
tion. 

[0008] There are a number of motivations for imple- 

25 meriting an access control poUcy within an organization. 
With regard to controlling external communications, two 
important reasons are nnaximizing employee productiv- 
ity by ensuring tfiat Internet access is used primarily for 
business purposes and maximizing tiie intemet-con- 

30 nection capability (i a.. t>andwktth) of tfie organization, 
particulariy during peak usage times. For exarrple, 
using streaming audio and video services at peek times 
of the day in terms of the network traff fo of an organiza- 
tion can seriously diminish productivity off other users 

3S within the organization who are attempting to perform 
tasks such as e-mail fie transfers, terminal emulations, 
and networi^ dataktase inquiries. 
[0009] Using traditional approaches, organizations 
apply stringent rules and sometimes overt>earing man- 

40 agement dicta in order to prevent key business usage of 
the Internet from t>eing adversely affected by casual or 
inappropriate usaga The traditional approaches are 
typically administratively difficult to set up arKl maintain, 
as well as being difffouH to scale from small organiza- 

45 tions to large enterprises. Thus, some of the productiv- 
ity gains are negated by management overhead. 
[0010] One traditional approach to providing access 
control with regard to resource requests generated 
within a network is to leverage firewall techmology and 

so focus on the well-krrawn packet filtering technk^ues. 
This typically requires a computer system to be installed 
as a router with at least two network interface cards and 
with no data packets being alfowed to k>e forwarded from 
one interface card to the otiier witfiout prior filtering. 

55 That is, firewall technotogy has been 'Uimed around" to 
form some degree of protection. Rather than controlling 
outsiders attempting to access resources of the net- 
worK tiie techniques are used to conti'ol inskiers 
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attempting to access externa) resources. This approach 
may work well in some applications, but in others the 
approach is too simplistic and inf lexS^le. 
[0011] U.S. Pat No. 5,727.146 lo SavoWi et al. 
desait>es a method fbr securing network access to a 
network. All data packets that are transmitted via the 
network are monitored for authorized source 
addresses, rather than examining only the initial net- 
work connection packets. TTius, network access to a 
port is secured by monitoring the source address of 
each packet that is sent as a device tries to train to the 
port of the network. If the source address matches an 
authorized source address assigned to the port to whteh 
the device is attached, the device is allowed access to 
the system. However, if the device attempts to train with 
a source address different from the authorized source 
address, all packets sent by the device are denoted as 
errored packets to prevent them from being accepted by 
any other device in the network. By monrtoring all pack- 
ets, the system detects occurrences in which a device 
attempts to "disguise" itself by first training with an 
authorized source address and then sending a packet 
with an unauthorized source address. 
[0(M2] Another approach to implementing network 
access control is to add third-party software nrK)dules 
into commercially available proxy server products. For 
example, software modules ttiat are dedicated to 
attempting to control access may be added to a web 
proxy server. The disadvantages of this approach 
include the fact that only a snfiall subset of Internet pro- 
tocols is actually routed through a web proxy server. 
These protocols are typically restricted to browser- 
based FTP. Gopher and WWW protocols. This subset of 
protocols does not include the protocols used in the 
transfer of packets for e-mail, telnet, other file transfers, 
and streaming audio arxi video. Therefore, using web 
proxy servers as choke points allows only an incomplete 
le^el of control. 

[001 3] Another approach to attempting control access 
is to estat)lish "tslacWists* or "control lists" into proxy 
servers or into individual client workstations. This is a 
somewliat simplistk: approach to meeting the needs of 
organizations and is often administratively kxirdensome 
to corporations, since the lists must be upcteted on a 
regular basis. 

[0014] What is needed is a method and system for 
providing access control to resources of a network in a 
manner that is flexible, scalatde and relatively easy to 
administer. 

SUMMARY OF THE INVENTION 

[0015] The invention is defined in claims 1,11 and 15, 
respectively. Particular emtxxiiments of the invention 
are set out in the dependent claims. 
[0016] A method and system in accordance with the 
invention are configured to provide access control to 
resources of a network by collecting and assembling 



data packets of a specific transmission, so as to enat^le 
identification of information from raw data packets at the 
lowest level to application-level data at the top-most 
level. In terms of the standardized model referred to as 

5 the International Standards Organization (ISO) model, 
tiie data packets are assembled to determine not only 
the lower-layer information from the headers of the 
packets, txjt also the ujipermost Application l^yer (i.e.. 
L^yer 7) contextual information. Access rules are then 

10 applied to determine whether the specific transnrussion 
is a restricted transmission. 

[0017] In the preferred entodiment, the steps of 
receiving and assembling the data packets occur non- 
intrusively with respect to impact on traff k; f kyw through 

15 the network. That is. the data packets are intercepted 
without impact on network performance, unless a 
restricted transmission is detected. Receiving and 
assemt)ling the data packets may occur at a workstation 
or server that is dedicated to providing access control. 

20 For example, a free-standing workstation may be con- 
nected as a node to the network and may be switched to 
a promiscuous mode in order to receive all data packets 
transmitted to or from other nodes of the network. This 
allows the workstation to receive the fragments Q.e., 

25 data packets) of each access attenpt from elsewhere 
on the network to ertiier external destinations or other 
internal destinations. The fragments are pieced 
togetiier to klentify ISO Layer 7 rnlbrnriation. as w^l as 
lower layer information. In an e-mail context tiie Appli- 

30 catton Layer in1brmatk>n of interest may include the 
information contained wittiin the lo," "from" and "sub- 
jecT lines of e-mail messages. In a web context, the 
Application Layer information of interest may include the 
text of the HTML pages. 

35 [001 8] By placing the dedicated workstation or server 
outside of the direct paths from source nodes to desti- 
nation nodes, the inrpact on network traffic is minimal. 
However, the method and system may also be imple- 
mented by examination and management at a chioke 

40 point such as a proprietary proxy server, a firewall or 
ottier network node that is acting as a gateway between 
the network and an external network (e.g.. the Intemet). 
The examination and management at a choke point 
may take the form of a plug-in module for receiving. 

45 assembling end examining data packets in the n^nner 
described above. However, the examination of access 
attempts at the choke point will not provide the level of 
access control available by monitoring all traffk; within 
the network, and may well impact network performance. 

so Therefore, the system may include both access moni- 
toring at the choke point and non-intrusive monitoring 
eteeswhere on the network. 

[0019] In the approach in which access is examined 
non- intrusively, the dedicated workstation or server may 
55 be configured as a "bare-bones" TCP/IP virtual 
nrrachine to e5tat){ish a capability of providing informa- 
tion extencBng from the lower layers of the ISO model to 
the Application Layer. There may be more tfian one 



3 



5 



EP0 986 229 A2 



6 



dedicated workstation or server, particularly if the net- 
work is divided into segments. Tlie access rules are 
preferably stored as a rules base, which may be central- 
ized if there is nK>re than one node that provides access 
management Alternatively, the rules base is configured 
at a single site, but then automatically distributed to 
each access control point on the network. 
[0020] The access control rules may apply at the time 
that a connection is established or may depeixl upon 
application protocol data following a successful connec- 
tion. In the preferred emiDodiment. the rules are applied 
both at the time oif connection and sut>sequent to the 
connection, as data packets are assembled. If a node- 
to-node transmission is determined to be a transmission 
that is restricted by the rules fciase, a connection attempt 
may be denied, a previously estabfished connection 
may be broken, a simple k)gging may occur, or a combi- 
nation of these actions may be implemented. Data col- 
lected during tiie connection attempts or during a 
connectton's lifetime may be passed to third-party soft- 
ware in order for independent validation to occur. How- 
ever, this is not critical. 

[0021] The rules base is preferably divided into two 
sets of rules. The first set relates to access manage- 
ment requirements with regard to outgoing connection 
attempts, while the second set relates to internal con- 
nection attempts. The rules within each set may l^e lay- 
ered in order to allow seemingly inconsistent rules to be 
included in a single rules base. For example, rules 
within a particular set may be applied sequentially, so 
that a specific rule application is accessed prior to a 
general rule application that contradicts the specific 
rule. The rules base is pyeferatsly configured in terms 
that are ^miliar to users, such as usernames. group 
names, workstation identifiers, destination addresses 
and URLs, services required, time-of-day, day-of-weeK 
arxi data size. 

[0022] An advantage of the invention within a busi- 
ness environment is that the method and system protect 
employee productivity by ensuring that Internet access 
is used primarily for txjstness purposes. Another advan- 
tage is tiiat the t^andwidth availability is used more effi- 
cientiy. Access may be dynamically controlled based 
upon factors such as the time of day and the day of the 
week. Another advantage is that internal security is 
enhanced by ensuring that access to internal computer 
resources is managed. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0023] 

Rg. 1 is an exemplary topology of a network tiiat 
utilizes access control management in accordance 
with the invention. 

Fig. 2 is a bkxk diagram of an exemplary network 
topok)gy having more than one node that estab- 
lishes access control in accordance witti the inven- 



tion. 

Fig. 3 is a schematic diagram of an Ethemet data 
packet 

Fig. 4 is a schematic view of the seven-layer ISO 
5 model and the source layers fliat are utilized by the 
invention. 

Rg. 5 is a view of a graphical user interface (GUI) in 
accordance with one emt>odiment of rules configu- 
rations. 

10 Fig. 6 is a bkx^ diagram of one embodiment of an 
access control devk;e in accordance with the inven- 
tion. 

Rg. 7 is a process flow of steps for operating the 
devtee of Rg. 6. 

IS 

DETAILED DESCRIPTION 

P)024] Witii reference to Rg. 1 , an exemplary network 
is shown as including a router 10 ttiat provides access 

20 to the gtobal comnrunication network referred to as the 
Internet 14 for an organization that is protected from 
unwanted intruders by a firewall 16. A number of con- 
ventionai user workstations 18, 20 and 22 are included 
as nodes of the network. A fourth workstation 24 may t>e 

25 identical to the other workstations, but is dedicated to 
providing access control management Thus, tiie work- 
station 24 is an access control management console 
(ACMC). However, one of the other workstations may 
be used to implement the access rules in a manner that 

30 is consistent w'rtii the nonnntrusive management sys- 
tem to be described below. The workstation 24 may be 
a conventional desktop computer having a plug-in 
access management module 26 to monitor traffic within 
the network. 

35 [0025] Anotiier node within the network is a proprie- 
tary proxy server 28 that Is used in a conventional man- 
ner to enable selected services, such as web servtees. 
A web proxy server is designed to enable performance 
improvements by caching firequentiy accessed web 

40 pages. WNIe such servers tend to add some access 
control potential by taking advantage of the fact that all 
HTTP conversions are being channeled through the 
service, the access control functionality is not a primary 
focus and only a sut>set of the protocols that are likely to 

45 be encountered via the Internet will be recognized by 
converrtional web proxy servers. For example, the proxy 
server 28 may provkJe proxying capability for the HTTP 
protocol arxJ perhaps browser-based FTP and Gopher, 
txrt the proxying capability is not likely to extend to other 

50 TCP/IP application protocols, such as telnet, news, e- 
mail and many proprietary multimedia protocols. 
[0026] The network topok)gy of Rg. 1 is shown as an 
exemplary configuration and is not meant to limit or con- 
strain tiie description of the invention. The metiiod and 

55 system to be described below can operate on a wide 
variety of network configurations. Moreover. wNle all 
workstations 18-24 can be presumed to be running the 
Microsoft Windows operating system and all servers 28 
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can be assumed to be running the Microsoft Windows 
NT Server operating system, the invention is not spe- 
cific to any one operating system. Although the prime 
use of the method is anticipated as being applied to net- 
works using the TCP/IP protocols, it can be readily s 
adapted to function with any other set of networking pro- 
tocols, such as Novell IPX/SPX or IBM NetBEUI. 
[0027] It is also assumed that the network for which 
access management is to be provided includes a 
number of users, groups of users and workstation 
addresses. All of these items are assumed to have been 
pre-configured using known configuration methods pro- 
vided by the supplier of the network operating system. 
Although implementation of the invention may be based 
on data such as usernames and group names from a 
network operating system or similar repository, there is 
no dependency on a specif k: network operating system 
or a specific mechanism to access such data. Employ- 
ing usernames and group names that are consistent 
with other system operations takes advantage of any 
familiarity that may already exist with this information. 
Furthermore, in the absence of any such information, 
the invention may utilize other naming nomenclature, 
such as IP or Etiiemet addresses. 
[0028] Referrir^ now to Fig. 2. a first access control 
module 30 has been installed on the workstation 18 to 
enable the workstation to function as a passive access 
control statkm (PACS). A second instance of an access 
control module 32 is installed on tiie proxy server 28. so 
that this node functions as a proxy access control sta- 
tion (PRACS). Moreover, a third instance of an access 
control module 34 is installed on the firewall 1 6 in order 
to form a gateway access control station (QACS). A key 
point in the system and method is that the individual 
workstations 20 and 22 tiiat are accessed by users can 
be managed witiiout installing any software conpo- 
nents specifically on those workstations. Network traff k; 
is monitored and access to internal and external 
resources is controlled and managed either at choke 
points (represented t>y the proxy server 28 arxl the fire- 
wail 16) and/or non-intrusively at nodes whk:h are not 
choke poirrts (represented by the workstation 18). The 
access control modules 30. 32 and 34 can be installed, 
de-installed, arxl reinstalled on any of the nodes of the 
network at any time to suH potentially changing network 
topologies or changing access management policies. 
[0029] The tocation and configuration of each of the 
access control nxxJules 30, 32 and 34 are selected by 
an installer t>ased upon pragmatic factors in order to 
achieve a level of access control that is consistent with 
the access management policy. As previously noted, 
the first access control module 30 is not required, since 
the workstation 24 may serve the dual purpose of allow- 
ing a system operator to configure the rules fc>ase of 
access rules and non-intrusively monitoring traffic along 
the netwak. The second access control module 32 is 
optionally used in order to ensure that access is man- 
aged for all users wfio are accessing the WWW by con- 



figuring web browsers to operate via the proxy server 
28. The third access control module 34 is optionally 
installed at the firewall 16 in order to validate that botti 
the firewall and the other access control modules have 
indeed been configured correctly and are perfornvng 
tiieir desired duties. Firewalls are sometimes difficult to 
configure, so organizations are increasingly adding sec- 
ond-line checks to their networks to ensure ttiat abso- 
lute integrity is being maintained. However, the non- 
intrusive monitoring at Hhe dedicated workstation 18 is 
capable of nrK)ihitoring and controlling ail access from all 
nodes ori the network, regardless of TCP/IP protocol. 
This mechanism can be used to manage all network 
access tiiat is not routed via the proxy server 28 with a 
high degree of probability ttiat undesired access can 
Indeed be k)locked. Network traffk; is non-intrusively 
monitored, but the system and method may be used to 
proactively block any requests for resources. 
[0O3O] The non-intrusive monitoring of network traffic 
at the workstatk)n 18 occurs t>y receiving and ass6n^^ 
bling data packets of node-to-node transmissions. Mod- 
em networks. Including the Internet, are packet 
switching networks in which a transmission is separated 
into data packets which are s^>arateiy transmitted to a 
destination node. At the destination node, the packets 
are assenrt^ed to form the original composite signal. 
Fig. 3 depicts an Etiiernet data packet according to RFC 
base 894. Traffic along the network of Figs. 1 and 2 may 
be in the form of transmissk)ns of Etiiemet packets. 
Each Etiiemet packet 36 includes five segments. A first 
6-byt6 segment 38 identiTies the destination node 
address, while a second 6-byte segment 40 identifies 
the address of the source node. The third segment 42 is 
a 2-byte segment that identifies the protocol type. A 
data fieki 44 has a variat>le length, with a maximum of 
1 500 bytes. The data fieki 44 contains the user informa- 
tion. Rnally, the fifth segment 46 is a checksum fieM that 
is used for error detection and correction purposes. 
[0031] As is well known in the art. other standards for 
packetization are utilized. For example, each header 
that is used in a TCP transmission or a UDP (User Dat- 
agram Protocol) transmisston irx^ludes a 164»t destina- 
tion port number An Etiiemet packet having a TCP/IP 
packet or UDP/IP packet emt^edded in its data f ieM will 
include three designations: (1) tiie Ethernet addresses 
of the source and destination nodes: (2) the IP 
addresses of tiie source and destination nodes; and (3) 
the IP port number of the destination node. Other proto- 
cols are present and cperational in TCP/IP networks 
and control operations such as routing and the transla- 
tkKi of IP addresses to and from hostnames. A protocol 
referred to as ARP (Address Resolution Protocol) also 
maps IP addresses to Ethernet addresses. 
[0032] By intercepting the Ethemet packet 36 of Fig. 
3, the destination address, the source address and the 
user data are available to the monitoring noda Fbr the 
non-intrusive monitoring that occurs at the workstation 
18 of Rg. 2, the workstation may be placed in the pro- 
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mtscuous mode and there will be no impact on perform- 
ance of the networic However, the packets that are 
specific to a particular node-to-node transmission can 
be collected and assemt)led merely by configuring the 
access control module 30 such that the works^ion 
functions as a bare-tx)nes TCP/IP protocol virtual 
machine. The workstation then has the capability of 
piecing together the fragments of a multi-packet signal. 
This enables access management control to base deci- 
sions upon infbrmatbn from various levels of tifie ISO 
model — from the lower layers to the uppermost Appli- 
cation Layer. 

[0033] Communications protocols are a layered set 
often referred to as a "stack." The Irrternational StarxJ- 
ards Organization (ISO) has developed a model 
referred to as the ISO 7-layer model, whteh serves as a 
basic reference. Each layer represents a particular func- 
tion. The function of a particular layer may fc>e executed 
in hardware or software or a combination of hardware 
and software. At times, a single program performs the 
functfons of wore than one layer. Fig. 4 illustrates the 
seven layers of the ISO model. The lowermost layer, 
referred to as the Physical Layer 50. is the hardware 
network connection, such as a physical wire. ISO Layer 
2. the Data Link Layer 52, is responsitsle for providing 
reliable transmissions of data. Layer 2 may t>e a network 
interface card that finks a computer to the network. 
[0034] ISO Layer 3, the Network Uyer 54, is the net- 
work software for routing packets throughout the net- 
work ISO Layer 4. the Transport Layer 56. transports 
data from the network to the upper levels of the ISO 
nnodel. 

[0035] ISO Layer 5. the Session Layer 58. deals with 
estat^ishing network sessions. Logical connections are 
estak)lished based ipon a request of a user. ISO Layer 

6, the Presentatfon layer 60, deals with the presenta- 
tion of data to an applk»tk>n which resides at ISO Layer 

7. the Applk:atlon Layer 62. Examples of the Applicatfon 
Layer include FTP. HTTP and SMTP. L^er 7 provkles 
access to the Internet for a user. 

[0036] Rg. 4 illustrates three inputs to a step 64 of 
storing data packets. The first input 66 represents the 
actual input of data packets, while the secorvi and third 
inputs 68 and 70 are operational representations. Refer- 
ring to Figs. 2 and 4, the workstation 18 that non-intru- 
sively monitors network traffk; receives intxxjnd and 
outbound data packets through Layers 1 and 2. As pre- 
vtously noted, the network interface card of Layer 2 is 
set to the promiscuous mode, so that the data packets 
of the network are received over the Physical Layer 50. 
Optionally, the rules t>ase of the access management 
module 26 may l>e utilized more tfwi one time. In a first 
application of Vne rules base, the first packet of a 
resource request may t>e used to detect the source and 
destination nodes, allowing access determinations to be 
based on this tow-level information. However, higher 
level decisions can be formed only after a connection 
has been established and the actual corrtent has begun 



to f tow over that connectfon. This is in contrast to con- 
ventional operations of firewalls, which typically only act 
as tow-level packet filters O-e.. at ISO Layer 2). 
[0037] As incficated by the input 68. the invention 

5 includes assembling the data packets to detect informa- 
tion at the Transport Layer 56 and the Network Layer 54 
of the ISO model. Moreover. Layer 7 information is 
acquired by assembling the data packets, as repre- 
sented by the Input 70. For example, in an e-mail envi- 

10 ronment, the Applicatton Layer information that may be 
relevant to application of the rules base may include 
information within the "subject" line of an e-mail mes- 
sage. This information is acquired only upon accessing 
tiie data fields of the data packets of the e-mail mes- 

15 sage. At step 66. the necessary information has t:>een 
acquired for applying the rules base. As previously 
noted, the application may occur more than once for a 
single nujtti-packet transmissfon. The desirability of pro- 
viding single or multiple rules applicattons may depend 

20 upon a nunrt>er of factors. 

[0038] Referring now to Fig. 5. an emtxxJiment of a 
graphical user interface (GUI) 68 is shown for use by a 
system operator to configure the rules base that deter- 
mines the action of the access control modules 30. 32 

25 and 34 of Fig. 2. The action of each access control mod- 
ule is determined rules configured at the ACMC 24, 
whfoh includes the access management module 26. 
The management module presents the QUI 68. 
altiiough this is not critical to tiie inventton. 

30 [0039] In the prefenred emtxxliment. the rules t>ase ^ 
comprised of a twin set of ordered rules. One of the sets 
of rules relates to access managemerYt requirements for 
outgoing access, white the second set relates to 
inbound connection attempts. Within each set. the rules 

35 are in a sequence that dictotes the sequence in which 
the rules are conskiered. This sequencing ensures that 
rules are applied in a specific deterministic order, alfow- 
ing the system operator to layer nfK>re specific rules 
ahead of more general rules. Thus, seemingly irKx>n- 

40 sistent rules can be established. For example, a rule 
may t>e configured to give User A access to a certain 
resource ahead of a rule banning everyone in the 
organization from accessing that resource. This has the 
effect of allowing access by User A and btocking access 

45 to that resource t>y all other users. 

P)040] After a rules base has been configured by a 
system operator, the rules base is downloaded to the 
access control modules 30, 32 and 34. Thus, any sut>- 
sequent changes in the rules base may be implemented 

50 at the various nodes in an efficient dynamic manner. 
[0041] Regarding ttie configuration of the rules, vari- 
ous objects may t>e utilized to provide a more granular 
or less granular rule. Affected parties may be desig- 
nated by usernames and group names (tx>th typically 

55 from the network operating system), ad hoc groupings 
of users, and workstation addresses. Other objects 
include network services, source addresses (IP 
address, hostoame or URL), destination addresses (IP 
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address, hostname or URL) and time^lot specifiers 
(time of day. day of weeK etc.). These objects are 
graphically dragged and dropped onto each rule, as 
required in order to dynamically and graphically build up 
the rule within the overall rules base. Against each rule, 
cin action is configured to specify the resulting action 
that should be performed if a rule is matched at runtime. 
Potential actions include (1) disallowing the connection 
attempt. (2) allowing the connection atterr^rt to be com- 
pleted. (3) passing off the dedsion-maldng on whether 
the connection should be allowed or disallowed to a 
tiilrd-party component (wNch may. for example, consult 
a control list or perform other checks). (4) allowing the 
connection, but performing further analysis on the data 
stream in order to determine whether a connection 
should be broken at some future point (e.g.. teased upon 
the number of bytes tiiat are transferred), and (5) per- 
forming further collection of the data stream and pass- 
ing off the collection to a third-party component for 
further analysis (e.g., an anti-virus product). 
[0042] Rules can be amended, deleted or reordered 
using the graphical user interface 68 of Rg. 5. The rules 
base is stored in an internal format that is then made 
available to the various access control modules 30. 32 
and 34, as described above. 

[0043] The graphical user interface 68 is divided into 
two portions. The lower portion 70 is used to define net- 
work objects, such as usemames, groups, workstations 
and other such entities mentioned above. TNs informa- 
tion is built up t>y tfie system operator, but as much infor- 
mation as possit)le is gleaned from the network 
operating system. Typically, alt usernames. group 
names and workstation addresses are estat)lished via 
reference to the network operating system. It is also 
possiksle to form ad hoc groupings for ease of use. such 
as groupings of users that are not configured or that are 
configured differentiy in the network operating system. 
Object-oriented teGhnok>gy simplifies the definition 
process by altowing operational parameters to be 
defined for object classes, rather than each individual 
network element. It Is thus possble to perform access 
control at a detailed level of contrdlirig individual user 
access and at a more general level of network groups of 
users or ad hoc groupings of users. This alksws the 
operator to have flexibility in the access management 
task, ft is ttius possible to alk>w different access control 
criteria to different levels of employees and managers. 
[0044] Other objects that are defined in the k3wer por- 
tion 70 of tiie GUI 68 are sen/ices. such as e-mail, file 
transfer, WWW and any of the other possit)le sets of 
sen^ices allowed in a TCP/IP network. Specific proper- 
ties of a service include its name and its TCP/IP port 
numt>er. Certain well-known services are pre-config- 
ured for the operator. For example, it is known that the 
telnet service shouki be pre-conf igured on port 23. Any 
services nrtay. however, be added or modified by tiie 
operator. 

[0045] The upper portion 72 of the GUI 68 contains 



the rules. The total set of rules is referred to as tiie rules 
basa Rules are constructed graphically by tiie operator 
by dragging objects from the lower portion 70 and drop- 
ping them into spedfc rules off the upper portion 70. 

5 Rule ordering is important and can be changed graphi- 
cally by dragging a rule to a new position in the 
sequence. When rules are consulted at runtime, a top- 
down ordering is implemented. As pre^ously noted, two 
sets of rules are maintained, one relating to outbound 

10 communications and the other relating to inbourKi com- 
munications. 
,f ■• 

[0046] In the preferred embodiment, storage logs are 
maintained for transaction data. The storage logs may 
be maintained for all of the transaction data or subsets 

IS of the data. The storage bgs may then be used for fur- 
ther analysis by built-in or third-party components. How- 
ever, this is not critical to the invention. 
[P047] Rg. 6 is an exemplary anangement off hard- 
ware and software for implementing the network access 

20 control system and metfiod. A Passive Access Control 
Station, such as the workstation 18 of Rg. 2. includes 
an input port 74 that is placed in a mode to receive all 
data packets destined for any rKxIe on the network. The 
data packets tf^t are specific to a particular node-to- 

2S node transmission are combined at a packet assembler 
76. Detailed information from tiie assembled data pack- 
ets is stored until sufficient information is acquired 
regarding tiie rKxJe-to-node transmisskm to apply the 
previously configured rules base 70. The process of 

30 applying the rules base to tiie acquired information may 
occur in a single step or may be a multi-step process. 
For exanrple, in Rg. 6 ttiere is a state identifier 80 and a 
context dentif ier 82. The state identifier is used to deter- 
nr^ne information regarding the kswer layers of the ISO 

35 model, white the context identifier 82 acquires higher 
layer information, indudtng Application Ljiyer informa- 
tion. The rules base 78 may be consulted a frst time 
when the state identifier 80 has acquired suff kaent infor- 
mation, and tiien applied a second time when the con- 

40 text kientifier 82 has acquired suffk^ent higher level 
information. 

[0048] It is important to rx>te that information which is 
stored includes both low level state information and con- 
textual informatk)n that is discovered at points in tiie 

45 network stack ottier than Layers 1 and 2. Full Applica- 
tion Layer awareness is achieved witiiout tiie need to 
implement specific application proxies for each service. 
The two parts of the proxy process are linked in order to 
accommodate the possibility that proxy connections are 

50 being made, since the real source node and the final 
destination node must be identified to ensure that the 
correct rule is applied in managing network access. 
[0049] If it is determined that a particular node-to- 
node transmission Is unresbicted. the transmisston is 

ss unaffected by ttie process. Optionally, data regarding 
the transmisston may t>e stored within a tog 84. How- 
ever, if the transmission is a restrkrted transmisston. any 
one of a number of actions may be initiated by a con- 
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nection oontroller 86. When the connection from a 
source node to a destination node has not been com- 
pleted, the connection controller may generate a signal 
that Is output via the output port 88 to an appropriate 
node (e.g., a router) for preventing the connection. For 5 
situations in which the connection is established, the 
controller 86 may generate a signal that disables the 
connection. As a third alternative, the connection may 
be allowed, but further analysis of the data stream may 
be performed in order to ascertain whether the tbnnec- w 
tion should be disabled at some future time (e.g., based 
upon the number of bytes that are transferred during the 
connection). The decision of whether to allow or disal- 
low the connection may be passed to another node, 
such as a third-party component which consults a con- 15 
trol list or performs other checks. 
[0050] Fig. 7 details the steps of providing access con- 
trol in accordance with the invention. In step 90, network 
traffic is monitored non-irrtrusively. such as by the work- 
station 18 of Fig. 2. Packets that are specific to a partic- 20 
ular communication (i.e., node-to-rKxJe transmission) 
are identified in step 92 and assembled in step 94. Deci- 
sion step 96 determines whether suffksent information 
has been acquired to apply the rules of the rules base. 
[0051] When sufficient informatfon has been acquired 2s 
to apply the rules base, the first rule is consulted to 
determine if the packet information set matches the 
rule. As previously rK)ted. the rules base is organized 
into a first set of outbound-related rules and a second 
set of intxxjnd-related rules. Moreover, the rules in a 30 
particular set are consulted in a top-down order. Thus, 
the rule that is applied in step 98 is the first OJle in the 
appropriate set of rules. At step 1 00. a decision is ma6e 
as to whether the information set fits the rule applied in 
step 98. If a rule fit is recognized, the appropriate rule 35 
action is applied at step 102. The appropriate rule 
action may be designated within the rules base. If the 
rule is affirmatively stated (e.g.. "allow all HTTP connec- 
tions"), the action will allow the connection to remain 
unhindered. Other prescribed actions n^ include log- 40 
ging information to a database. serxJing an e-mail mes- 
sage, raising an alert in a pre-established manner, or 
diverting the data content of the connection to a third- 
party process whk^ can determine whether the con- 
nection shouki t>e maintained by referencing other data. 45 
such as anti-virus rules or one or more control lists. 
[0052] If in the decision step 100 it is determined that 
the first rule is not apptk;able, decision step 104 deter- 
mines whether there is another appllcat)le rule. If there 
are fifteen rules within the set of rules that are applica- so 
tAe to the communication under consideration, steps 98. 
100 and 104 will be repeated fifteen times or until the 
information set matches one of the rules. 
[0053] Preferably, there is a default rule at the end of 
each set of rules in the rules base. Referring kxielly to ss 
Fig. 5. the GUI 68 shows six rules in its set of outgoing 
rules in the upper portion 72 of the GUI. The sixth and 
final rule to be applied is the default rule that disallows 



outgoing communications that are not specifically 
allowed within the set Alternatively, the default rule may 
be to alfow the communication. 
[0054] After all of the appropriate rules have been 
applied, the optional decisfon step 106 is executed. The 
access rules of the rules base are pre-parsed to identify 
which rules can be applied at the basic connectfon time 
and which rules need to be heki-over for application 
once the connection is completed and data is f towing. If. 
for a particular node-to-node transmission, it is deter- 
mined that no rules need to be heki-over. the default 
rule can t>e applied at connectfon time, assuming that 
there is no prior rule that provides an affirmative 
respor^e at step 100. However, if access rules need to 
be applied once data is ftowing. the delault rule is 
applied with the heM-over rules. Thus, when there are 
access rules that relate to data ffow. the connection 
allowed to be completed, unless it is determined at step 
100 that the connection is a restricted one. If it Is deter- 
mined at step 106 that rules have been heki-over. the 
packets continue to be assemt)led at step 94 arxJ the 
process repeats itself in order to apply the heki-over 
rules. On the other hand, if there are no hekJ-over rules, 
the process returns to the step 92 of kientifying packets 
of a spedfto communfoation. However, the implementa- 
tion, and even existence, of step 106 is notcritfoal tothe 
invention. 

[0055] It is worth noting that various changes and 
modifications can be made to the above examples to 
achieve the same resuHs, while remaining within the 
scope of the method and system. For example, access 
management control can be performed on a generic 
gateway machine, as opposed to a firewall, a proxy 
server or a passive woricstatfon. 

Claims 

1. A method of providing access control to resources 
of a network comprising steps of: 

monitoring network traffic, including receiving 
data packets transmitted to and from nodes of 
sakl network such that receptions of ssad data 
packets are non-intrusive with respect to traffic 
f kiw of sakl network; 

with respect to individual node-to-node trans- 
missions within sakJ networK assembling sakl 
received data packets specific to sakj irxiividual 
node-to-node transmissions, thereby forming 
assembled communications; 
based upon sakl assembled communfoations. 
kJentifying source nodes and destinatfon nodes 
and contextual information for sakJ indivklual 
node-to-node transmissfons; and 
applying access rules to sakl assembled com- 
munications in determinations of whether sakl 
indivklual node-to-node transmissions are 
restricted transmissions, including basing sakl 
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determinations on said identifying said source 
and destination nodes and said conte)ctual 
information. 



from nodes that are extennal to said network, said 
first-line network intrusion detection being inde- 
pendent of said step of applying said access rules. 



2. The method of claim 1 wherein said steps of receiv> s 
Ing and assembling said data packets are executed 

at a network element that is outside of direct paths 
from said source nodes to said destination nodes of 
said node-to-node transmission& 

10 

3. The mettiod of daim 2 wherein said steps of receiv- 
ing arKi assembling said data packets are executed 
at a workstation that is dedicated to providing 
access control to said resources. 

15 

4. The method of daim 1 further comprising a step of 
determining whether to disaltow said individual 
node-to-rKxJe transmisstons t>ased upon said step 
of applying saki access rules. 

20 

5. The method of daim 1 further comprising a step of 
generating said access rules in a form of a rules 
base tfiat indudes a first set of rules specific to indi- 
vidual node-to-node transmteions having a source 

or destination node that is outside of said network 2S 
and further indudes a second set of rules specific 
to individual node-to-node transmissions having 
both of said source and destinatton nodes as net- 
work elements of said network. 

30 

6. The method of claim 5 wherein said step of gener- 
ating said access rules includes forming said first 
set of rules to be specific to communications via the 
global communicatiorts network referred to as the 
Internet. 35 



11. A metiiod of providing access control to resources 
tiiat are internal to and external of a network of 
nodes, irtduding computing devices of users of said 
network, said method comprising steps of: 

genef|iting a rules base related to restrk:ting 
access to said resources by said nodes of said 
hetworK including forming a first set of rules 
specific to access to external resources and a 
second set of rules spedfk; to access to inter- 
nal resources; 

monitoring transmissbns that indude one of 
said computing devices; 
acquiring information regarding each said 
transmission, induding determining informa- 
tk>n relating to at least Layers 2. 3 and 7 of the 
ISO model; and 

applying said rules t>ase to said acquired Infor- 
mation to detect transmissions in whk^h access 
to said resources is restricted by said rules 
base, including initiating a predetermined 
action In response to detecting that a specific 
transmission relates to an access tiiat is 
restrk:ted. 

1 2. The method of daim 1 1 wtierein said steps of mon- 
itoring said transmissions and acquiring said infor- 
mation are executed non-intrusively. such that 
transmissions for which accesses are restriction- 
free occur wttfK>ut impact on transmission traffic 
within said network. 



7. The metiiod of claim 6 wherein saki step of assenr^ 
biing saki received data packets is enabled for at 
least one of Transmission Control Protocol (TCP) 
servtees and User Datagram Protocol (UDP) serv- 40 
ices. 

8. The metfiod of claim 5 wherein said step of gener- 
ating saki access rules further comprising basing at 
least some of said access rules upon time, such 4S 
that said determinations of whether said individual 
node-to-node transmissions are restricted trans- 
missions are time-dependent determine-ttons. 

9. The metiiod of daim 1 wherein sakl step of identify- so 
ing said source and destination nodes and said 
contextual information indudes collecting ISO 
Layer 7 data for use in said step of applying said 
access rules. 

55 

10. The metiiod of daim 1 further comprising a step of 
e^^cuting first-fine network intrusion detection at an 
entry point of saki networK such that transmissions 



13» The metiiod of daim 12 wtierein said steps of mon- 
itoring saki transmissions and acquiring said infor- 
mation include receiving and assembling data 
packets at a node of said network, saki node being 
outside of direct paths of said transmissk>ns to and 
from said user computing devices. 

14. The method of claim 1 1 wherein said step of acquir- 
ing information relating to Layer 7 includes assem- 
bling data packets received at said network via the 
Internet arxi indudes assembling data packets that 
are exchanged t>etween network elements of said 
network, said step of aoquirirtg information further 
including determining contextual data relating to 
sources and destinations of said data packets. 

15. A system for provkiing access control to resources 
of a network comprising: 

a plurality of nodes, induding computing 
devices; 

means for non-intrusively intercepting data 
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packets to and from said nodes such ttiat said 
intercepting is sitelantially transparent to 
packet flow witliln said network; 
means for identifying said data packets of dis- 
crete transmissfons and assembling said data s 
packets: 

means for determining sources and destina- 
tions of said disaete transmissions and con- 
textual intormatfon corrtained therein; 
a rules k^e store having a plurality of rules 10 
relating to controlling »xess to said resources 
of said network; and 

means for controlling said access based upon 
matching said rules to said sources, destina- 
tions arxJ contextual informatfon from said is 
means for determining. 

16. The system of claim 15 wherein said means for 
non-intrusively intercepting said data packets is 
positioned within said network and is operative to 20 
receive data packets transmitted between said 
nodes of said network. 

17. The system of claim 16 wherein said means for 
non-intrusively intercepting is one of a workstation 25 
or a server dedicated to access control within said 
network. 

18. The system of claim 16 wherein said rules base 
store includes a first set of rules specific to trans* 30 
missions to destinations outside of said network 
and includes a secorxl set of rules specific to trans- 
missions having sources and destinations that are 
nodes of said network 
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(57) A method and system for monitoring and con« 
trolling network access includes non-intrusively moni- 
toring network traffk: and assembling data packets that 
are specif to individual node-to-node transmissions in 
order to manage network access both inside and out- 
side of a network. A rules base (78) is generated to apply 
at either or both of the connection time and the time sub- 
sequent to connection. With regard to a particular node- 
to-node transmission, the data packets are assembled 
to identify the source and destination nodes, as well as 
contextual Information (i.e., ISO Layer 7 infonmatlon). 
The access rules are applied in a sequential order to 
determine whetherthe transmission is a restricted trans- 



mission. The rules are maintained in a single rules base 
(78) for the entire network and are distributed to each 
monitoring node. Any of the protocols in the suite of 
TCP/IP protocols can be managed. The result of an 
analysis against the rules base (78) causes a connec- 
tion attempt to be completed or denied, a previously es- 
tablished connection to be broken, logging to occur, or 
a combination of these and other actions. Data collected 
during connection attempts or during a connection's life- 
time may be passed to a third-party hardware or soft- 
ware component in order for independent validation to 
take place. Traffic monitoring and access management 
can be executed at a node other then a choke point of 
the networic. 
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